Insufficient Control of Network Message Volume (Network Amplification)

CVE-2020-10772

High

7.5/10

Summary

An incomplete fix for CVE-2020-12662 was shipped for Unbound in Red Hat Enterprise Linux 7, as part of erratum RHSA-2020:2414. Vulnerable versions of Unbound could still amplify an incoming query into a large number of queries directed to a target, even with a lower amplification ratio compared to versions of Unbound that shipped before the mentioned erratum. This issue is about the incomplete fix for CVE-2020-12662, and it does not affect upstream versions of Unbound.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-406 - Insufficient Control of Network Message Volume (Network Amplification)

The software does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the software to transmit more traffic than should be allowed for that actor.

References

Advisory Timeline

Published Nov 27, 2020

Insufficient Control of Network Message Volume (Network Amplification)

CVE-2020-10772

Summary

CWE-406 - Insufficient Control of Network Message Volume (Network Amplification)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS